welcome and opening remarks mike watson...2 may isoag agenda mike watson, opening and welcome...
TRANSCRIPT
2
May ISOAG Agenda
Mike Watson, Opening and Welcome Remarks
Steve Orrin, Intel
Blake Carpenter, Grant Thornton, LLP
Shana Sumpter, University of Richmond
Demetrias Rogers, VITA
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
Teleworker Modes of Operation
• Device as a Terminal (VDI)
• Device as part of the Internal Network
• Device as a Portal to Services/SaaS
Cloud Services
Enterprise Data Center
VDI
Display Traffic
Network & Storage Traffic
VDICloud
PrivateCloud
Enterprise Services
4
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
Threats to Teleworking
Network Attacks
Increased Attack Surface Area
Attacks on Video and Collaboration Tools
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
Solutions for Securing the TeleworkerBYOD
Cloud Services
Enterprise Data CenterIT
BYODRich Client
VDICloud
PrivateCloud
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
Solutions for Securing the TeleworkerEnd Points in unsecured environments and networks
Cloud Services
Enterprise Data Center
EnterpriseRich Client
IT
VDICloud
PrivateCloud
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
Solutions for Securing the TeleworkerVDI Systems and Cloud Services
Cloud Services
Enterprise Data Center
VDICloud
PrivateCloud
IT
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
Solutions for Securing the TeleworkerAs-a-Service clients
Cloud Services
Enterprise Data Center
Rich Client
PrivateCloud
IT
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
Solutions for Securing the TeleworkerMisuse and abuse / Insiders
Cloud Services
Enterprise Data Center
Rich Client
VDICloud
PrivateCloud
IT
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
What can I do Today/ Tomorrow• Short-term
• Educate employees
• Home Security Guidance
• Security Training for Telework
• Push Patches and Require Users to Patch their devices
• If you have it, turn on EAC, ERM/DRM and DLP
• Turn on and enforce TLS for your web connections
• Implement Personal Device based 2FA for accessing your resources and content (Enterprise and Cloud)
• Make sure End Point Security Agents are enabled and up to date
• Manage and enforce security policies for the different types of User Devices
• Enable Full disk encryption
• Long-term• Establish zero trust best practices• Implement MFA with physical devices and
other factors• Use ERM and Policy Based Data Access
methodologies• Implement Deep Stack security Solutions
• Secure Boot With Attestation
• Virtualization and Container Security
• Firmware Security and Monitoring
• Extend Audit, Threat Intelligence and Monitoring to Teleworker environments
• Extend enterprise security to the teleworker locations
• Managed Devices, Managed Networks
11
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
Recommendations for Securing the Home Office • System Security Tips
• Update your systems (Windows Update, Mac Update, Phone updates, etc.)
• Update your End Point Security Software and Run regular scans
• Turn on and use Local FW and Enable the router and modem firewall
• Set QoS Settings to allow high bandwidth apps like Video Conferencing priority
• Reduce Runtime Surface area of attack
• Close apps that are not in use
• Close browser before going to new/ different sites
• Logout of/close secure sessions before checking email or browsing
• Modem/Router/WiFi Security Tips• Change the default administrative password of all routers and
modems to something unique
• Use a unique password to access your ISP’s web portal
• Enable two-factor authentication wherever possible.
• Change the WiFi network name (i.e., SSID) password to something unique and Ensure the WiFi network (i.e., SSID) name does not provide any identifying information
• Carefully guard who has knowledge of the WiFi network password
• Enable automatic updates for all routers and modems
• Turn on WPA2 or WPA3
• Disable WPS if possible
• Enable network address translation (NAT)
• Enable DNS filtering on the router and/or modem
• Disable UPnP
STOP. THINK. CONNECT.https://www.stopthinkconnect.org/
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
References• NIST Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (SP-800-46)
• https://csrc.nist.gov/publications/detail/sp/800-46/rev-2/final
• NIST’s User's Guide to Telework and Bring Your Own Device (BYOD) Security (SP-800—114)
• https://csrc.nist.gov/publications/detail/sp/800-114/rev-1/final
• NIST Advice: Preventing Eavesdropping and Protecting Privacy on Virtual Meetings
• https://www.nist.gov/blogs/cybersecurity-insights/preventing-eavesdropping-and-protecting-privacy-virtual-meetings
• NIST Infographic : Conference Call Security
• https://www.nist.gov/system/files/documents/2020/03/17/Conference%20Call%20Security%20Graphic.pdf
• NIST Telework Security Basics
• https://www.nist.gov/blogs/cybersecurity-insights/telework-security-basics
• ITL BULLETIN MARCH 2020 Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions
• https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2020-03.pdf
• DHS/CISA Enterprise VPN Security Alert (AA20-073A)
• https://www.us-cert.gov/ncas/alerts/aa20-073a
• DHS/CISA Security Tip (ST04-006) Understanding Patches and Software Updates
• https://www.us-cert.gov/ncas/tips/ST04-006
• Center for Internet Security (CIS) Telework and Small Office Network Security Guide
• https://www.cisecurity.org/blog/small-offices-big-security-new-guide-for-securing-telework-environments/
• https://cdn2.hubspot.net/hubfs/2101505/CIS Controls Telework Security Guide.pdf
EMBRACING DIGITAL TRANSFORMATIONEMBRACING DIGITAL TRANSFORMATION
References con’t• CISA INSIGHTS - Risk Management for Novel Coronavirus (COVID-19)
• https://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus_0.pdf
• OPM’s Telework Guidance - Security and IT
• https://www.telework.gov/guidance-legislation/telework-guidance/security-it/
• OMB/Whitehouse memos on Teleworking:
• OMB Memo on Implementing the Telework Enhancement Act of 2010: Security Guidelines
• https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2011/m11-27.pdf
• OMB Memo on Implementing the Telework Enhancement Act of 2010: IT Purchasing https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2011/m11-20.pdf
• GSA: 72 FR 9532 - Information Technology and Telecommunications Guidelines for Federal Telework and Other Alternative Workplace Arrangement Programs
• https://www.govinfo.gov/content/pkg/FR-2007-03-02/pdf/07-951.pdf
• GSA Guidelines for Alternative Workplace Arrangements
• https://www.gsa.gov/cdnstatic/FMRBulletin_2006-B3.pdf
Blockchain and Government
An updated presentation to Virginia Information Technologies
Information Security Officers’ Advisory Group
May 6, 2020
18
What is blockchain technology?
21
• Distributed ledger of transactions
• Enables peer-to-peer trust and exchange of value
Who has read/write privileges?
22
Attributes Shared Databases Private/Consortia
Blockchains
Public Blockchains
Read
Access
Users with
permissions
Users with
permissions
Unrestricted
Write
Access
Users with
permissions
Users with
permissions
Any transaction which
meets blockchain
consensus rules
Examples Google Sheets,
SharePoint
Hyperledger, Corda Bitcoin, Ethereum
How do blockchains validate transactions?
23
• Consensus:• Proof of stake
• Delegation
• Proof of work
• Incentives discourage cheating
• Immutable: expensive/ impractical to alter past transactions
Properties of distributed networks
24
Note the pattern of connections does not
revolve around a single or handful of nodes
Full nodes maintain a complete copy of the
ledger (going back to the "genesis" block)
Taking down one (or even many) nodes may
slow the network temporarily, but not stop it
For public blockchains, anyone with the
appropriate hardware can run a node
Many distributed chains can continue to run
even if there is only one computer running it
Recordkeeping
29
• Transparent, secure authentication of records
• HHS audit trail/EHR
• Treasury's equipment
• Land deed registry
• E-voting/survey data
Smart contracts – what are they?
30
Vending Machine
• Initial setup: the machine must be built, programmed, and stocked before it can be used
• Transparent terms: the price of each product is clearly displayed
• Self-executing: no clerk needed, simply pay and select product
Smart Contract
• Initial setup: the contract code must be programmed and tested for bugs before deployment
• Transparent terms: computer code underlying smart contracts is readable by potential users
• Self-executing: no person needed, blockchain records payment and contract delivers
© 2017 Grant Thornton International Ltd. All rights reserved.
Offer: computer code is programmed
• defines the terms of the agreement
• deployed to a blockchain, e.g. Ethereum
Acceptance: of the offer, for example payment of an insurance
premium or deposit of an asset
Execution: smart contract monitors the blockchain and oracles
for an acceptance. Once satisfied, code executes:
• Payment alone: when funds are received, the contract
delivers the goods/services
• Time-based: e.g. a smart bond makes interest payments on
pre-defined schedule
• Oracle data: third-party or program (IoT) which supplies
external info, e.g.
– Prime interest rate on Jan. 1
– Did it rain in Richmond on Tuesday?
Smart contracts – how do they work?
31
Supply chain and digital identity
32
Supply chain provenance
• USPS package delivery
• Naval aviation parts
• IBM, Walmart Food Trust
Digital identity
• Unforgeable, digital credentials
• CDC crisis response
• Illinois Blockchain Initiative
• Army secure communications
• Enables other use cases such as e-voting or electronic health records
Payments and accounting
33
Digital payments
• Grants and entitlements
• Central Bank Digital Currencies
• Stablecoins
Accounting and audit
• Creation of audit evidence
• Automated internal controls
• Reducing reconciliations
• Impact on audits
Contact Information
Blake Carpenter, CPA
Audit Manager
Grant Thornton, LLP
Twitter.com/@blakechain
LinkedIn.com/in/blakemcarpenter
35
Coronavirus in Virginia
Cases of COVID-19 in Virginia
Governor issues stay at home order for the Commonwealth
Social distancing now the norm
Businesses and schools across Virginia close or go remote
Flatten the curve
Twentieth Century Fox,
2008
Remote Operations Overnight
Business continuity
Got a plan, right?
Telework in 0 to 60
BYOD with or without a policy
Scale up on software and services
Microsoft,
2004
Are We Good?
Buy it! Do it! Make it happen!
Securing the remote workspace
Relax security controls…not so fast
Paper processes
System access
Zoombombing? Is that a thing?
ABC,
1992
“You Like Me! You Really Like Me!”
The network now includes home networks
Security awareness is critical
Cybersecurity really is
everyone’s responsibility now
Don’t add insult to injury
Regulations have not
relaxed, neither should
controls
AP, 1985
Here they come…
Back to “normal”
In-office, remote, or
both
Scale down
About that free software
Return to the office
Out of date workstations
Business processes
Inventory control
AMC, 2016
References
American Broadcasting Company. 1992. “Urkel Much Face.” Retrieved from https://tenor.com/view/urkel-
reactions-faces-emotive-steveurkel-gif-4491512.
AMC Networks. 2016. “The Walking Dead: Pushing Walkers Off The Road.” https://youtu.be/kdphXtLDz_I.
Microsoft. 2004. “Halo 2.” Retrieved from https://youtu.be/82NUo0PNsrI.
The Cut. 2014. “The Science of ‘You Like Me! You Really Like Me!’” Retrieved from
https://www.thecut.com/2014/10/explaining-you-like-me-you-really-like-me.html.
Twentieth Century Fox. 2008. “The Day the Earth Stood Still.” Retrieved from
https://tvguide1.cbsistatic.com/rovi/showcards/movie/292495/thumbs/16815273_1300x1733.jpg.
4
5www.vita.virginia.gov
Cloud Services,
Pricing and Strategy
Demetrias Rodgers,
Director of Platform Operations and Enterprise Services
Kevin Washington,
Cloud Services Lead
May 6, 2020
www.vita.virginia.gov 4
5
4
6
Agenda
• Overview of cloud service providers
• What are the planned cloud deployment services?
• Cloud optimization
• Future state
• Public cloud pricing
www.vita.virginia.gov
4
7www.vita.virginia.gov
Cloud service providers
Service Provider Description
Amazon web services (AWS)
cloud computingAmazon
AWS cloud computing provides on-demand platforms and API’s for
reliable, scalable and inexpensive cloud computing services
Microsoft Azure (Azure) cloud
computingMicrosoft
Azure is a cloud computing service for building, testing, deploying
and managing applications and services
Oracle cloud infrastructure
(OCI)Oracle
OCI is a set of complementary cloud services to build and run a
wide range of applications and services in highly available host
environments
4
8
Cloud servicesInitial cloud services deployment will include services in the following categories:
• Compute services
• Storage services
• Networking and data center services (e.g. monitoring and auditing capabilities)
• DevOps services – (AWS and Azure)
• Data analysis services (data lake and catalog services)
• VITA will continuously make new services available as required
www.vita.virginia.gov
4
9
Cloud workload optimization
• One of the directives VITA has provided is a no “lift and shift” approach for cloud service migrations
• VITA has a duty to ensure that workloads are optimized for cloud consumption prior to migrating to the cloud; if it is not optimized, then it could result in higher costs to the agency and commonwealth as a whole
• VITA will implement artificial intelligence in our environment to analyze application usage and present appropriate cloud templates to ensure the application is migrated with the correct configuration
www.vita.virginia.gov
5
0
Workload utilization
www.vita.virginia.gov
Current workload analysis
• 50 VMs (2%) are performing well and efficiently sized
• 316 VMs (15%) do not have enough resources allocated to prevent performance issues
• 1725 VMs (83%) have more resources allocated than they need
5
1
How are cloud services charged?• Cloud service providers have a few different ways of charging customers.
The methodology varies based on the services an agency leverages:
• Consumption-based
• Monthly costs
• Subscription-based services
• VITA’s chargeback strategy must support the various cloud services offered by VITA, maintaining a balance between the desire to take advantage of service and financial flexibility and the need for cost recovery and predictability, necessary for budget optimization and management
• Propose simplifying the charging mechanism through service bundles to support ordering, chargeback and billing requirements
• There will also be stand-alone services including platform and DevOps services
www.vita.virginia.gov
5
2
Provide data for placement decision BEFORE migration
Data-driven analysis will provide significant cost avoidance by ensuring environments are properly configured and utilizing virtual compute resources best fit for the individual use case. These data points will assist agencies in projecting future costs and highlight gaps in productivity
www.vita.virginia.gov
43%
Less
5
3
Workload placement decisions across clouds
www.vita.virginia.gov
Azure by DeptOn-Demand Allocation
On-Demand Consumption
Storage Allocation
Storage Consumption
Difference
DOC$
12,128 $
5,690 $
3,764 $
2,060 -$8,142.00
DMV$
22,903 $
16,536 $
2,836 $
1,150 -$8,053.00
DSS$
55,941 $
40,268 $
14,401 $
6,847 -$23,227.00
TAX$
41,730 $
31,574 $
8,842 $
3,800 -$15,197.00
VDOT $
72,402 $
60,448$
19,204 $
11,519 -$19,639.00
VEC$
20,181 $
17,100 $
5,071 $
3,334 -$4,818.00
Totals $225,285 $171,616 $54,118 $28,710 -$79,076.00
AWS by DepartmentOn-Demand Allocation
On-Demand Consumption
Storage Allocation
Storage Consumption
Difference
DOC$
9,626 $
5,642 $
2,190 $
1,480 -$4,704.00
DMV$
15,988$
14,642 $
1,346 $
1,183 -$1,509.00
DSS $
45,392 $
37,049 $
6,944 $
4,636 -$10,651.00
TAX $
32,021 $
27,457 $
4,127 $
3,066 -$5,625.00
VDOT $
57,544 $
52,483 $
9,768 $
8,095 -$6,734.00
VEC $
18,183 $
14,623 $
2,565 $
2,358 -$1,202.00
Totals $178,754 $151,896 $26,940 $20,818 -$30,425.00
5
4
Future stateVITA is looking to operate at the speed of business, providing infrastructure, application optimization, and development services that will enable agencies to meet a CI/CD and RAD model.
www.vita.virginia.gov
*CI/CD – Continuous Integration and Continuous Delivery*RAD – Rapid Application Development
5
5www.vita.virginia.gov
Public cloud pricing
*These rates are in addition to existing private cloud rates which are already in use.
Traditional storage rates do not apply to public cloud pricing.
**Additional infrastructure services may be needed to support the public cloud service,
such as increased network bandwidth.
Monthly rate AWS Azure Oracle
Windows instance (Tier 1) $643.90 $643.90 $728.53
Windows instance (Tier 2) $571.86 $571.86 $640.22
Linux instance (Tier 1) $564.23 $564.23 $666.27
Linux instance (Tier 2) $470.88 $470.88 $552.54
Consumption-based cloud charges
(storage)~$0.75/GB on average
Consumption-based cloud charges
(non-storage)
Supplier cost with VITA overhead mark-up
5
6www.vita.virginia.gov
One-time costs• Agency account set-up:
• $564.50 per agency/only charged once per agency
• Setup required to add a new Agency into the Virtual Data Center landing zone
• Managed service account set-up:
• $1,129.00 per project
• Charged per project
• Stealth license set-up:
• $195.88 per instance
• Set-up cost for stealth license service
• Migration and consulting:
• Labor rates
• No mark-up is applied to material costs if required
5
7www.vita.virginia.gov
Rate model
• Developed outside of the normal budget cycle
• Fixed public cloud rates:– Based on public cloud rates in Unisys contract
– Indirect expenses layered into fixed rates• Examples include: Cloud workload optimization service, virtual
firewalls, security, 10GB sandbox, full packet capture, enterprise allocations
• AWS, Azure, and Oracle consumable rates:– Multiple rates that vary in cost each month
– Not possible to develop fixed rates due to the variable nature of cloud pricing
– Marked-up using a percentage to recover indirect expenses
5
8www.vita.virginia.gov
Minimum commitment period
• Public cloud services have a minimum service commitment period of one billing cycle
• A customer will be invoiced the chargeback resource unit rate for one billing cycle even if the service ordered is installed and decommissioned within the same billing cycle
• The chargeback resource unit rate is not prorated for a portion of the billing cycle.
5
9www.vita.virginia.gov
Invoicing of cloud services
• Invoicing of cloud services will follow the normal process
• Expenses will appear within your comprehensive bill
• Fixed rates will be billed on a monthly basis
• Consumable expenses will be billed based on charges incurred by VITA + mark-up %– Applies to AWS, Azure and Oracle expenses
– Different methodology than normal rated services
– Similar to legacy telco approach
6
0www.vita.virginia.gov
FY22+ impact to rates
• The current public cloud rate will change in FY22
Downward rate pressure
• Higher consumption
• Lower fixed expenses
• Over-recovery of expenses
in FY20/21
Upward rate pressure
• Lower projected consumption
• Higher fixed expenses
• Under-recovery of expenses in
FY20/21
63www.vita.virginia.gov 63
The next IS orientation will be held on
June 30, 2020
1 – 3 p.m. in room 1211 (CESC)
Presenter: Marlon Cole (CSRM)
Registration link: http://vita2.virginia.gov/registration/Session.cfm?MeetingID=10
64
Future ISOAG
June 3, 2020
Speakers: Kevin Heaslip,VT
Eric Culbertson, ATOS
Alan Gernhardt, VA Freedom of
Information Advisory Council
ISOAG meets the first Wednesday of each month in 2020